fix(tests): patch REPORT_OUTPUT_DIR in report router tests to satisfy path traversal check

backend/tests/test_professional_reports_router.py

@@ -1,42 +1,48 @@
 """Professional reports router tests (FASE-2.4)."""
 
+import os
+import tempfile
 from unittest.mock import patch
 
 from app.models.campaign import Campaign
+from app.config import settings
 
 
 @patch("app.services.report_generation_service.generate_purple_campaign_report")
 def test_purple_campaign_pdf_download(mock_gen, client, auth_headers, db):
-    mock_gen.return_value = __file__  # existing file for FileResponse
+    with tempfile.TemporaryDirectory() as tmpdir:
+        fake_pdf = os.path.join(tmpdir, "report.pdf")
+        with open(fake_pdf, "wb") as f:
+            f.write(b"%PDF-1.4 fake")
+        mock_gen.return_value = fake_pdf
 
-    campaign = Campaign(name="Export Camp", status="active")
-    db.add(campaign)
-    db.commit()
+        with patch.object(settings, "REPORT_OUTPUT_DIR", tmpdir):
+            campaign = Campaign(name="Export Camp", status="active")
+            db.add(campaign)
+            db.commit()
 
-    r = client.get(
-        f"/api/v1/reports/generate/purple-campaign/{campaign.id}",
-        params={"format": "pdf"},
-        headers=auth_headers,
-    )
+            r = client.get(
+                f"/api/v1/reports/generate/purple-campaign/{campaign.id}",
+                params={"format": "pdf"},
+                headers=auth_headers,
+            )
     assert r.status_code == 200
     assert r.headers["content-type"] == "application/pdf"
 
 
 @patch("app.services.report_generation_service.generate_coverage_report")
 def test_coverage_summary_html(mock_gen, client, auth_headers):
-    import tempfile
-    import os
+    with tempfile.TemporaryDirectory() as tmpdir:
+        fake_html = os.path.join(tmpdir, "report.html")
+        with open(fake_html, "w") as f:
+            f.write("<html><body>ok</body></html>")
+        mock_gen.return_value = fake_html
 
-    fd, path = tempfile.mkstemp(suffix=".html")
-    os.write(fd, b"<html><body>ok</body></html>")
-    os.close(fd)
-    mock_gen.return_value = path
-
-    r = client.get(
-        "/api/v1/reports/generate/coverage-summary",
-        params={"format": "html"},
-        headers=auth_headers,
-    )
+        with patch.object(settings, "REPORT_OUTPUT_DIR", tmpdir):
+            r = client.get(
+                "/api/v1/reports/generate/coverage-summary",
+                params={"format": "html"},
+                headers=auth_headers,
+            )
     assert r.status_code == 200
     assert "text/html" in r.headers["content-type"]
-    os.unlink(path)